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Packet Intercept 



Packets are everywhere 

- LAN networks 

- WAN networks/ Carrier Ethernet 

- 3G Telephony networks 

- CDMA 2000 Networks 

- ISP Networks 

- Etc etc etc 
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Packet Intercept 



Issues 

- Access to the packets on the wire 

- Selection of packets on the wire 

- Accumulation/ Forwarding of packets 
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Access to packets 



Range of network types 

- CDMA/UMTS cellular 

- GSM cellular 

- PSTN 

- WiMax, WiFi 

- Sattelite 

- LAN/WAN 




Roughly divisible into Telecom and Data 

- Also Valid 

• Cellular/ Fixed 

• Enterprise/Operator 



Commercial in Confidence 



www.telesoft-technologies.com 






Access to packets 

Physical access to the transport 
Range of Media 



- Ethernet, E1/T1 , SDH/SONET, GE, CarrierEthernet, 
etc 



- LAN/ISP 

• Span ports 

• Hubs 

• Passive taps 

- WAN/3G/CDMA 2000/etc 

• Passive taps 

• Internal interception functions 

• SPAN ports 
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Access to packets 



Transport protocol handling 

-MPLS 

- VLAN tags 
-ATM (IMA) 

-PPP( ML-PPP ) 

- PoS ( Packet over Sonet ) 
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Selection of packets 



A major problem 

- What are the criteria for selection? 

- Lower layers 

• Label address ( i.e. IP Address, ATM address ) ? 

• Protocols used? 

- Upper Layers 

• Protocol/Service 

• Session Identity 

• User Identity ( email address/ IM id etc ) 

• Cross packet identities 
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And packet selection must be done in real 
time 
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Selection of packets 



Generically requires hardware support 

- Line rates are too fast for software 

Selection on labels easier 

Selection on protocol contents much harder 

- Requires Deep packet Inspection 

- Complex matching criteria 

- Cross packet assembly for matching 

- Session buffering to extract the whole session 
from embedded triggers ( e.g. email cc: ) 
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Selection of packets 



Very hard for routing nodes to do this 

- ‘Internal interception’ 

Many nodes are L2 switches with little packet 
inspection 

- Most switches have a stated aim to keep the 
packet for a minimum time 

Effort required for inspection usually means 
added hardware to the node 

Limited then by manufacturer capability 
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Identity 



Subscriber Identities 

- Many, Many identities 

- Each human probably has 50 used often 

Terminal / equipment identities 

- Many terminals used by one target 

Network Assigned identities 

- Networks use these for obfuscation and mobility 
reasons 

Application/Entity identities 

- Not only humans and equipment have identity 
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Identity 



Conclusions 

- Each human can have many identities 

- Identities can be changed frequently 

- Identities can be used only once 

- Identities can be changed by location 

- Anonymisation services exist on the internet 

• http://www.anonvmizer.com 

• http://www.onion-router.net . 

- Keeping track is VERY difficult when faced with 
knowledgeable adversaries 

But it can be done with sophisticated software 
analysis 
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Cyphering 



Cyphering is a major issue 

- Network based protection 

• 3G information cyphered to the RNC 

• 2G data cyphered to the SGSN 

• IMS sessions protected end to end from the terminals 

- Application based cyphering - 

• Skype 

• HTTPS 

- User based cyphering 

• PGP 

• X.509 SMIME etc 

< 4 ^ 
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Cyphering 



What can be done? 

- Mobile Network based cyphering 

• Access to CK/Kc for the session from core network 

- IMS - end to end - very difficult 

- Skype - proprietary - very difficult. 

- PGP/SMIME - powerful encryption 

Best hope is to record the cyphered session 



and apply cryptographic techniques 
afterwards 

Not Real time though 
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Cyphering 



A big problem that will get bigger 

As communication networks migrate to 
offering end to end transparent pipes 

- More user based encryption 

- More encryption algorithms 

But connection records are still available 

- ( time / duration etc ) 

Patterns of use are still available 

Keys may be available through other means 
than SIGINT 






Accumulation of packets 



Packets rarely travel alone 

Most packets form streams to carry a higher 
layer service 

- Telephone call 

- Web session 

- Email 

- Etc 

Packets therefore need to be acquired, and 
presented in sequence 

Buffering is one solution to this 
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Buffering ( or not ) 



Buffering can be useful 

- But it is resource expensive ( memory ) 

- Controversial in evidential environments 

Allows session reassembly 

- Which enables L7 protocol presentation 

- Allows cross packet pattern recognition 
Provides post analysis capability 
Allows session recovery 

But can delay delivery 

Requires very large resource in high bandwidth 
links (STM-64/1 OG etc) 
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Handover of product 



Standardized 

- ES 101 671, 

- ES 102 232.x 

- J-STD-025, 

- PacketCable 

- ATIS 

Often with national/local variants 
Buffering is sometimes allowed 
Session reassembly is sometimes desired 

- I.e. presentation as email / Web page image etc. 
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Challenges review 



Acquisition 

- Physical interfaces differ 

- Internal Interception limited 

Selection 

- High data rates make this difficult 

- Cyphering prevents DPI 

- Identity obfuscates communication 

Accumulation/Forwarding 

- High data rates 

- Buffering is expensive 



Commercial in Confidence 



www.telesoft-technologies.com 






Solutions! 



Problems split into roughly 2 domains 

- LAN/ISP type access with Gb ethernet 
transports 

- WAN/Core network access where transport 
is 

• High capacity fibre 

• E1/T1 ATM 

• EI/TI/PoS PPP/HDLC 

• Carrier ethernet. 

• GE/10GE 
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Solutions! 



In the 1G ethernet domain 

- Many companies have adapted IDS systems 
( usually from SNORT ) 

- Several companies have hardware acceleration to 
assist with this 

Very useful in enterprise or ISP domain 
Kit is relatively small and powerfull. 



But somrthing bigger is needed in the core 
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Solutions! 



Ethernet based solutions tend not to work so 
well in other environments 

- Specialised , distributed equipment is needed 

- Full network coverage 

Probes cope with the complex Layer 1/ and 
transport stacks 

- Probes cope with the variety of protocols, 
telephony and data ( ATM/ MPLS / Carrier E etc ) 

- Probes offer a pre-processing function to DPI 
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Large scale Solutions! 

Telesoft Technologies specialize in the 
provision of such probes - HINTON product 

- 3G/CDMA 2000/GSM network access 

- Large , distributed networks 

- Access to telephony and data sessions 

- TDM legacy and Packet intercept 

- Highly distributable and scalable 

- Hardware accelerated 

- Centralised Handover 

- Decyphering available with complete access 

- Location ( including Abis/lub ) , Call content, SMS, 
CDR 

Proven, large and small scale deployments 
for intercept 
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